[llvm] [Github] Hash Pin Actions in Most Workflows (PR #129486)
Carlo Cabrera via llvm-commits
llvm-commits at lists.llvm.org
Sun Mar 16 23:04:22 PDT 2025
================
@@ -60,12 +60,12 @@ jobs:
# a local checkout beforehand.
- name: Fetch LLVM sources (Push)
if: ${{ github.event_name == 'push' }}
- uses: actions/checkout at v4
+ uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 1
- name: Get subprojects that have doc changes
id: docs-changed-subprojects
- uses: tj-actions/changed-files at v39
+ uses: tj-actions/changed-files at fea790cb660e33aef4bdf07304e28fedd77dfa13 # v39.2.4
----------------
carlocab wrote:
> I want to do at least look at all the third party actions we're using and maybe even reimplement some of the simple ones to reduce risk.
This is a good idea. Lots of them won't be too difficult to replace with direct calls to the GitHub REST/GraphQL API.
We may also want to create an allowlist of third-party actions that can be used in LLVM organisation repos. This can be configured in the repo settings so that workflows that use actions not on the allowlist will fail to execute and error out.
https://github.com/llvm/llvm-project/pull/129486
More information about the llvm-commits
mailing list